<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<div th:replace="~{commons/commons::head}"></div>

<body>
<!-- 顶部导航栏 -->
<div th:replace="~{commons/commons::topbar}"></div>

<div class="container-fluid">
    <div class="row">
        <!-- 侧边栏 -->
        <div th:replace="~{commons/commons::siderbar(active='fastjson.html')}"></div>

        <main role="main" class="col-md-10 offset-md-2 pt-3 main">
            <div class="card">
                <div class="card-header py-1">
                    <div class="vul_header">
                        <span>组件漏洞 - Fastjson反序列化</span>
                    </div>
                </div>

                <div class="card-body">
                    <ul class="nav nav-tabs">
                        <li class="nav-item">
                            <a class="nav-link active" data-toggle="tab" href="#vulDescription">
                                漏洞描述</a>
                        </li>
                        <li class="nav-item">
                            <a class="nav-link" data-toggle="tab" href="#secureCoding"> 安全编码</a>
                        </li>
                    </ul>

                    <div class="tab-content">
                        <div class="tab-pane active" id="vulDescription">
                            <div class="alert alert-desc"><i class="lnr lnr-alarm"></i>
                                fastjson是阿里巴巴的开源JSON解析库，它可以解析JSON格式的字符串，支持将Java
                                Bean序列化为JSON字符串，也可以从JSON字符串反序列化到JavaBean，历史上存在多个反序列化漏洞。
                            </div>
                        </div>
                        <div class="tab-pane fade" id="secureCoding">
                            <div class="alert alert-desc">
                                <li>方案一、对于第三方依赖组件，需要及时更新版本</li>
                                <li>方案二、修改配置</li>
                                通过配置以下参数开启 SafeMode 来防护攻击：ParserConfig.getGlobalInstance().setSafeMode(true)
                            </div>
                        </div>
                    </div>
                </div>
            </div>

            <div class="box-float">
                <div class="float1">
                    <a target="_blank" class="btn btn-sm btn-danger run-btn" onclick="submitJSON()">
                        <svg xmlns="http://www.w3.org/2000/svg" width="13" height="13" fill="currentColor"
                             viewBox="0 0 16 16">
                            <path d="m12.14 8.753-5.482 4.796c-.646.566-1.658.106-1.658-.753V3.204a1 1 0 0 1 1.659-.753l5.48 4.796a1 1 0 0 1 0 1.506z"/>
                        </svg>
                        <span class="align-middle"> Run</span>
                    </a>
                    <h5><span class="lnr lnr-bug"> 漏洞代码</span></h5>

                    <textarea class="form-control" id="code1">
/**
 * 产生原因：低版本且用到反序列化功能
 */
public String vul(@RequestBody String content) {
    Object obj = JSON.parse(content);
    return obj.toString();
}

<!-- 不安全的低版本依赖包 -->
<dependency>
    <groupId>com.alibaba</groupId>
    <artifactId>fastjson</artifactId>
    <version>1.2.24</version>
</dependency>
                    </textarea>

                </div>

                <div class="float2">

                    <h5><span class="lnr lnr-smile"> 安全代码</span></h5>
                    <textarea class="form-control" id="code2">
/**
 * 在1.2.68之后的版本，Fastjson增加了safeMode的支持，开启后可完全禁用autoType，注意评估对业务的影响。
 * https://github.com/alibaba/fastjson/wiki/fastjson_safemode
 */
public String safe1(@RequestBody String content) {
    // 启用安全模式来防止反序列化漏洞
    ParserConfig.getGlobalInstance().setSafeMode(true);
    Object obj = JSON.parse(content);
    return obj.toString()
}
                    </textarea>
                </div>

            </div>
        </main>
    </div>
</div>

<!-- 引入script -->
<div th:replace="~{commons/commons::script}"></div>

<script>
    function submitJSON() {
        const json = JSON.stringify({
            "@type": "com.best.hello.entity.Person",
            "age": 19,
            "id": 2,
            "name": "test"
        });
        const xhr = new XMLHttpRequest();
        xhr.open('POST', '/vulnapi/Fastjson/vul', true);
        xhr.setRequestHeader('Content-Type', 'application/json');
        xhr.send(json);
        xhr.onreadystatechange = function () {
            if (xhr.readyState === 4 && xhr.status === 200) {
                alert("抓个包看看");
            }
        }
    }
</script>

</body>

</html>